Seeing red over valentine envelopes

luis fernandes <elf@ee.ryerson.ca>Sat, 13 Feb 93 20:46:50 EST

The following appeared in the Feb. 13, 1993 issue of the "Toronto Star":
Edmonton(CP)-- It's that time of year again when love is in the air and Canada
Post is seeing red. Red envelopes, that is. That's because the computerized
mail sorting machines, which can process 33,000 letters an hour, have trouble
reading addresses off the red envelopes popular for Valentine Day greetings, a
Canada Post spokeswoman says. "We in Canada have some of the most technically
advanced machinery in the world," Teresa Williams says. "And while it's not
impossible for them to read red envelopes, some of them can present a bit of a
challenge." If your valentine card hasn't arrived, it may have been delayed
in the mail-sorting process, William says. A reminder for next year: white
envelopes should be used instead. "Or put a white sticker on a red envelope,"
Williams suggests.
Meanwhile Hallmark Cards Inc., based in the United States, is complying with a
U.S. Postal Service request to stop producing dark-colored envelopes over the
next couple of years. U.S. machines can't read them either.

KIO diskettes stolen from the Spanish Government

During the night of 5 February 1993, 18 diskettes were stolen from the
Ministry of Economy and Taxes in Madrid, Spain. All the diskettes contained
information of international funds transferred by Kuwait Investment Office
(KIO) since 1988.
The situation of this large group of chemical, building and real estate
companies in Spain is very complex, because many of them are in bankruptcy,
the Spanish Government paid a lot of money for this industry support, there
are thousands of people losing their jobs, and present managers of KIO in
Spain demanded old jobs at the Court, because of money fraud and political
corruption.
Javier De la Rosa, Fouad K. Jaffar and Mohamed al Sabah are the names related
with it that appear every day in several press items that compare their
management with Michael Milken (convicted), John H. Gutfreund, Donald M.
Feurstein (Salomon Inc) and other Securities & Exchange Commission affairs in
USA. But they control many journalists here, thanks to the singer Julio
Iglesias' ex-manager, and now Javier De la Rosa's speaker [spokesman?],
Alfredo Fraile.
The Government Ministry, Carlos Solchaga, told the press that he thinks the
goal of the thief is to sell this information to the press, and to discredit
HIM. He advised journalists not to buy this interesting digital information,
because legal prosecution will be ordered if anything is published.
On the other side, Javier De la Rosa told the journalists that there is a
mafia in Spanish bureaucracy that stole the diskettes. But this is not a
clever idea because it is not necessary to steal something that can be easily
diskcopied.
What is much more interesting is that KIO has nothing to say, and that a
Spanish Justice refused to accept its demand because there was not enough
information enclosed. It seems that they did not find a computer expert able
enough to look for financial scandal data in computers and back-ups, now
owned by them.
IMHO, everybody has too many things to hide in this sad story.
Miguel A. Gallardo Ortiz, PX86 Engineer UNIX&C freelance working on RSA crypto
Fernando Poo, 16 (Proyecto X86) E - 28045 Madrid (Spain)
Tel: (341) 474 38 09 - FAX: 473 81 97 E-mail: gallardo@batman.fi.upm.es

Japanese Bank Hit By Phone Fraud

John Mello <jmello@igc.apc.org>Tue, 23 Feb 93 14:20:38 PST

The Boston Business Journal, February 1993
A Boston branch of the Daiwa Bank Ltd., the 25th largest bank in the
world, was victimized by prison inmates with a gift for social engineering,
according to the Boston Business Journal. The inmates placed collect calls to
the Daiwa switchboard, identified themselves as telephone repairmen, and said
they could fix the company's telephone problems by being connected to an
outside line. Once connected to an outside line, the cons made long-distance
calls, sticking Daiwa with the tab. Some of the calls were to sex hotlines.
Hospitals in the Boston area were some of the first victims of this form
of phone fraud, the newspaper reported. Inmates treated at the hospitals
would memorize employees' names or use the names of physician's who appeared
on TV to con operators into giving inmates access to outside lines. Once the
operators got wind of what was happening, though, the hospitals were able to
clamp down on the problem. One inmate, impersonating a doctor who appeared on
TV the previous day, gave himself away by referring to himself by title
"doctor." The operator knew the physician always identified himself by his
first name. the last thing the jailbird heard before the operator hung up on
him was, "I suggest you speak to the warden about that."

Long Distance..Is the next best thing to praying there

>From the {Washington City Paper} of Feb 19-25, page 18:
News of the Weird by Chuck Shepard:
In January, Israel's national telephone company initiated a fax service that
transmits messages to God via the Wailing Wall in Jerusalem. In May, the
Roman Catholic Church will unveil a high-tech confessional at a trade show
in Vincenza, Italy, that will accept confessions by fax. And in December, a
sect of Orthodox Jews in Brooklyn, NY began selling its members special
beepers so they will know instantly when the Messiah arrives on earth."
And there is precedent for a response, I guess:
"Your Majesty, I have a message from God for you." - Judges 3:20
Paul Robinson — TDARCOS@MCIMAIL.COM
[Hopefully, the Messiah will not arrive on the Sabbath, although there
might be a question as to whether the beeper is actually being USED as
long as it does NOT trigger. Confessions by EMail should be easy to set
up. L.A. has long had drive-through churches; I suppose services via
on-line interactive multimedia X-window conferencing cannot be far behind.
But watch out for a hi-tech Allah McGordo bombshell in virtual reality.
PGN]

Consider this a balancing comment on economic risk of incorporating
american technology (it is also tangentially relevant to the original
discussion about export restrictions on US cryptographic technology).
I don't doubt that the French, German or British intelligence services carry
out occasional industrial espionage for their local industries (certainly, I
have seen reports of British intelligence doing this in the British press).
However, to balance this (least anyone think from the above that the US is
somehow more virtuous in these things, and does not behave in such an
underhanded, ungentlemanly, or even, dare I say it, nefarious, manner) I
should point out that there are, or at least were, when I still lived there,
regular complaints in the British press from firms trying to sell technology
that contained US made components to, say, China, only to find, first, that
the US department of trade prohibited the sale on strategic grounds, and
second, that identical technology was suddenly no longer strategic when it was
offered by some US company that had mysteriously heard about the British deal,
and was able to close it instead.
Sean

Re: The "Information America" service

John Pettitt <jpettitt@well.sf.ca.us>Tue, 23 Feb 1993 16:54:41 GMT

Information America does a lot more than is described in the post (I have
not seen the Mondo article yet). I know one of their sales people (well ex
she quit just before christmas). Their prime selling strategy to lawyers
seems to be in competition with Lexis, Nexis (sp?) and Dialog (all large
online database services).
The idea is that the lawyer (or more correctly a paralegal) can research
case law on line in a fraction of the time it would take in the law
library. They have all US court cases on line (local & federal).
I don't think there is any "dark' intent in the lack of publicity for IA,
more that they just don't see value in advertising to people who are not
going to buy their service.
As to the other services they provide, what is the problem ? We live in an
information society. If you don't want people using and tracking information,
don't give it to them (i.e., go live some place where there are no phones or
credit cards).
[ P.S. I am CEO of a direct response marketing company so I'm biased :-) ]
John
[I presume there will be comments about a person's not having to give
the information to them for it to be there — whether it is right or
wrong! Subsequent discussion might better belong in the PRIVACY
groups noted in RISKS-14.34. PGN]

MIT's on-line Student Information Services (SIS)

"Jonathan I. Kamens" <jik@aktis.com>Wed, 10 Feb 93 18:19:20 -0500

(Re: "Anyone can get your U. of Illinois transcript" in RISKS-14.31)
MIT recently put on-line a new service, SIS, through which students can access
data in the registrar's database, including both personal and confidential
data about their own status and general data such as course schedules.
SIS is worth mentioning here, in response to Carl Kadie's message about
problems with a similar system at the University of Illinois, because (in my
opinion) SIS is a good example of system designers taking security issues
seriously enough and doing a good job of meeting security needs.
In order to use SIS to access personal data, a user must first register an
"extra" password with the Kerberos database. The program that registers this
password does so by transmitting it to the Kerberos server in encrypted form
(using a key derived from the user's main Kerberos principal, for which he
already has a password) so that it isn't exposed to the network.
The assumption that led to the extra-password requirement is that people
already have the mindset that it's OK to share their accounts (i.e., their
main Kerberos principal password) with other people, so that name/password
pair is not sufficient authentication. The documentation about SIS, and the
prompting that takes place when the user chooses an extra password, makes it
very clear that this password should be treated more securely by the user, and
that if the user sees fit to give it to others, that user is giving those
others access to his personal data in the registrar's database.
Once the user has registered for an extra password, he still can't access
personal data in the registrar's database immediately. A notification is
mailed, by U.S. Mail, to the address for the user in the registrar's database.
About a week after that notification is received by the user, the password
actually becomes active and the user can access personal data on-line.
Obviously, this second safeguard is to protect against the possibility of a
user registering another user's extra password. The notification mailed to
the user explains in detail what it's about, and tells the user whom to
contact if he *did not* register an extra password.
I suspect that an extra password does not become valid if the paper mail
notification is returned by the post office (i.e., is not successfully
delivered to the user). Granted, the time given for the notification to be
returned by the post office probably isn't sufficient for all failed delivers,
but I think that the probability of a notification not being delivered
properly to someone whose extra password was illicitly registered by someone
else is sufficiently low that this is not a concern.
Once a user's extra password becomes valid he must type this password each
time he wants to use the SIS service to access personal data (and he must
already have valid Kerberos tickets for his main principal). The Kerberos
tickets thus acquired are used to establish a Kerberos-authenticated network
connection to the machine on which the registrar's database resides.
Furthermore, the session key created while establishing that connection is
used to encrypt all personal data sent over the network.
There is one more safeguard to prevent security breaches of the database. The
SIS protocol does not allow for direct modification of the database on the SIS
server. Most data in the system can't be modified through it at all; instead,
users must talk to the registrar directly to effect changes. The data that
*can* be modified is mostly MIT directory information, e.g., term address and
phone numbers, and when a user requests modifications to that data, the
modifications are stored and manually eyeballed for sanity by the registrar
before actually being fed into the system.
Finally, just in case there is some possibility that someone might manage to
break into the database machine (although it's pretty fortress-like in its
configuration :-), that machine is not actually the "home location" of the
registrar's database. It's a copy that is updated by SneakerNet (a tape
carried from the registrar's office) regularly. The registrar's computer is
on a subnet that is isolated from most of the campus network (and that is
certainly more paranoid about who gets to connect to it than the rest of the
campus network).
As you can see, I think that the people who designed and implemented
SIS did a good job of meeting security concerns. Their only mistake
was using Motif for the UI :-).
Jonathan Kamens Aktis, Inc. jik@Aktis.COM

Fred Cohen <fc@turing.duq.edu> writes in RISKS v14n33:
! 3 - The best encryption in the world won't make you very safe if you
!dial into CompuServe (NOTE I AM NOT CITING COMPUSERVE AS AN ACTUAL PERPETRATOR
!BUT RATHER AS A CONVENIENT NAME-RECOGNITION IDENTIFIER FOR THE LARGER CLASS OF
!SUCH SERVICES) from your PC to send the information. ...
You're perpetuating a security scare that has no basis in fact.
Prodigy, the latter service you mention, requires the use of its own front-end
program on your PC. You cannot use Prodigy without it. Since this front-end
program executes on your PC, it does have the potential for the abuse you
mention. I personally do not use Prodigy in part because of this security
loophole.
On the other hand, other communication services, such as Compuserve, do not
have this questionable "feature" at all.
You dial Compuserve from your PC with a communications program of your choice.
At all times the contents of your memory and hard drive are under the complete
control of your CPU and communications program.
You are probably thinking of the "Quick B" transfer protocol which appears to
allow Compuserve to "take over" your PC to run both ends of a file
upload/download. (A similar sequence occurs with the popular ZMODEM
protocol.) This is not really so; Compuserve actually sends only an ENQ (05)
character to the PC, which is interpreted by your comm program as a request to
begin a file transfer. Again, the PC's memory and hard drive are still under
the control of your own comm program, not Compuserve. Most comm programs,
such as Telix and Crosstalk, can be configured to ignore ENQ and require the
PC user to execute the transfer command manually.
Bottom line: No online service can cause your PC to execute code that is not
in the PC's memory space, Prodigy notwithstanding.
Mark W. Schumann/3111 Mapledale Avenue/Cleveland, Ohio 44109-2447 USA
Domain: mark@whizbang.wariat.org CIS:73750,3527

Call for Papers: Computer Security Applications Conference

Marshall D. Abrams <abrams@mitre.org>Mon, 22 Feb 93 15:30:48 EST

CALL FOR PAPERS AND PARTICIPATION
Ninth Annual Computer Security
Applications Conference
December 6 - 10, 1993
Orlando Marriott Internation Drive
Orlando, Florida
The Conference
The Information Age is upon us, along with its attendant needs for
protecting private, proprietary, sensitive, classified, and critical
information. The computer has created a universal addiction to
information in the military, government, and private sectors. The
result is a proliferation of computers, computer networks, databases,
and applications empowered to make decisions ranging from the mundane
to life threatening or life preserving.
Some of the computer security challenges that the community is faced
with include:
* To design architectures capable of protecting the
sensitivity and integrity of information, and of assuring
that expected services are available when needed.
* To design safety-critical systems such that their software and
hardware are not hazardous.
* To develop methods of assuring that computer systems
accorded trust are worthy of that trust.
* To build systems of systems out of components that have
been deemed trustworthy.
* To build applications on evaluated trusted systems without
compromising the inherent trust.
* To apply to the civil and private sectors trusted systems
technologies designed for military applications.
* To extend computer security technology to specifically
address the needs of the civil and private sectors.
* To develop international standards for computer security
technology.
This conference will attempt to address these challenges. It will
explore a broad range of technology applications with security and safety
concerns through the use of technical papers, discussion panels, and
tutorials.
Technical papers, panels and tutorials that address the application of
computer security and safety technologies in the civil, defense, and
commercial environments are solicited. Selected papers will be those
that present examples of in-place or attempted solutions to these
problems in real applications; lessons learned; original research,
analyses and approaches for defining the computer security issues and
problems. Papers that present descriptions of secure systems in use
or under development, or papers presenting general strategy, or
methodologies for analyzing the scope and nature of integrated
computer security issues; and potential solutions are of particular
interest. Papers written by students that are selected for presentation
will also be judged for a Best Student Paper Award. A prize of $500,
plus expenses to attend the conference, will be awarded for the selected
best student paper (contact the Student Paper Award Chairperson for details,
but submit your paper to the Technical Program Chairperson).
Panels of interest include those that present alternative/controversial
viewpoints and/or those that encourage "lively" discussion of relevant
issues. Panels that are simply a collection of unrefereed papers will not
be selected.
INSTRUCTIONS TO AUTHORS:
Send five copies of your paper or panel proposal to Ann Marmor-Squires,
Technical Program Chairman, at the address given below. Since we provide blind
refereeing, we ask that you put names and affiliations of authors on a
separate cover page only. Substantially identical papers that have been
previously published or are under consideration for publication elsewhere
should not be submitted. Panel proposals should be a minimum of one page that
describes the panel theme and appropriateness of the panel for this
conference, as well as identifies panel participant and their respective
viewpoints. Send one copy of your tutorial proposal to Daniel Faigin at the
address given below. It should consist of one- to two-paragraph abstract of
the tutorial, an initial outline of the material to be presented, and an
indication of the desired tutorial length (full day or half day). Electronic
submission of tutorial proposals is preferred.
Completed papers as well as proposals for panels and tutorials must
be received by May 18, 1993. Authors will be required to certify prior
to June 19, 1993, that any and all necessary clearances for public release
have been obtained; that the author or qualified representative will be
represented at the conference to deliver the paper, and that the paper has
not been accepted elsewhere. Authors will be notified of acceptance by
July 31, 1993. Camera ready copies are due not later than September 18, 1993.
Material should be sent to:
Ann Marmor-Squires Daniel Faigin
Technical Program Chair Tutorial Program Chair
TRW Systems Division The Aerospace Corporation
1 Federal Systems Park Dr. P.O. Box 92957, MS M1/055
Fairfax, VA 22033 Los Angeles, CA 90009-2957
(703) 803-5503 (310) 336-8228
marmor@charm.isi.edu faigin@aero.org
Ravi Sandhu
Student Paper Award
George Mason Univ.
ISSE Dept.
Fairfax, VA 22030-4444
(703) 993-1659
sandhu@gmuvax2.gmu.edu
Areas of Interest Include:
Trusted System Architectures
Software Safety Analysis and Design
Current and Future Trusted Systems Technology
Encryption Applications (e.g., Digital Signature)
Application of Formal Assurance Methods
Risk/Hazard Assessments
Security Policy and Management Issues
Trusted DBMSs, Operating Systems and Networks
Open Systems and Composted Systems
Electronic Document Interchange
Certification, Evaluation and Accreditation
Additional Information
For more information or to receive future mailings, please contact
the following at:
Dr. Ronald Gove Diana Akers
Conference Chairman Publicity Chair
Booz-Allen & Hamilton The MITRE Corporation
4330 East-West Highway 7525 Colshire Dr.
Bethesda, MD 20814 McLean, VA 22102
(301) 951-2395 (703) 883-5907
gover@jmb.ads.com akers@mitre.org